.\" Manpage for dnstwist
.TH DNSTWIST 1 "2020-07-05" "" "User Commands"

.SH NAME
dnstwist - domain name permutation engine

.SH SYNOPSIS
.SY dnstwist
.OP \-a|\-\-all
.OP \-b|\-\-banners
.OP \-d|\-\-dictionary FILE
.OP \-f|\-\-format FORMAT
.OP \-g|\-\-geoip
.OP \-m|\-\-mxcheck
.OP \-o|\-\-output FILE
.OP \-r|\-\-registered
.OP \-s|\-\-ssdeep
.OP \-\-ssdeep-url URL
.OP \-t|\-\-threads NUMBER
.OP \-w|\-\-whois
.OP \-\-nameservers LIST
.OP \-\-tld FILE
.OP \-\-useragent STRING
.I DOMAIN
.YS

.SH DESCRIPTION
Find similar-looking domain names that adversaries can use to attack you.

Detect typosquatters, phishing attacks, fraud and brand impersonation.

Useful as an additional source of targeted threat intelligence.

.SH OPTIONS
.TP
\fB\-a\fR, \fB\-\-all\fR
Show all DNS records.
.TP
\fB\-b\fR, \fB\-\-banners\fR
Determine HTTP and SMTP service banners.
.TP
\fB\-d\fR, \fB\-\-dictionary\fR \fIFILE\fR
Generate additional domains using a dictionary read from \fIFILE\fR.
.TP
\fB\-f\fR, \fB\-\-format\fR \fIFORMAT\fR
Select the output format. Supported values are: \fBcli\fR (default), \fBcsv\fR, \fBlist\fR, \fBjson\fR.
.TP
\fB\-g\fR, \fB\-\-geoip\fR
Perform lookup for GeoIP location.
.TP
\fB\-h\fR, \fB\-\-help\fR
Display a help message and exit.
.TP
\fB\-m\fR, \fB\-\-mxcheck\fR
Check if MX host can be used to intercept e-mails.
.TP
\fB\-o\fR, \fB\-\-output\fR \fIFILE\fR
Save output to \fIFILE\fR.
.TP
\fB\-r\fR, \fB\-\-registered\fR
Show only registered domain names.
.TP
\fB\-s\fR, \fB\-\-ssdeep\fR
Fetch web pages and compare their fuzzy hashes to evaluate similarity.
.TP
\fB\-\-ssdeep-url\fR \fIURL\fR
Override \fIURL\fR to fetch the original web page from.
.TP
\fB\-t\fR, \fB\-\-threads\fR \fINUMBER\fR
Start specified \fINUMBER\fR of threads (default: \fB10\fR).
.TP
\fB\-w\fR, \fB\-\-whois\fR
Perform lookup for WHOIS creation date.
.TP
\fB\-\-nameservers\fR \fILIST\fR
DNS servers to query (comma-separated \fILIST\fR).
.TP
\fB\-\-tld\fR \fIFILE\fR
Generate additional domains by swapping TLD as read from \fIFILE\fR.
.TP
\fB\-\-useragent\fR \fISTRING\fR
User-Agent to send with HTTP requests (default: \fBMozilla/5.0 dnstwist\fR).

.SH NOTES
The program will run the provided domain through its fuzzing algorithms and generate a list of
potential phishing domains with the following DNS records: A, AAAA, NS and MX.
Usually thousands of domain permutations are generated - especially for longer input domains.
In such cases, it may be practical to display only registered (resolvable) ones using \fB\-\-registered\fR argument.
Ensure your local DNS server can handle thousands of requests within a short period of time.
Otherwise, you can specify an external DNS server with \fB\-\-nameservers\fR argument.

.SS Fuzzy hashing
Manually checking each domain name in terms of serving a phishing site might be time-consuming.
To address this, \fBdnstwist\fR makes use of so-called fuzzy hashes (context triggered piecewise hashes).
Fuzzy hashing is a concept which involves the ability to compare two inputs
(in this case HTML code) and determine a fundamental level of similarity.
This unique feature of \fBdnstwist\fR can be enabled with \fB\-\-ssdeep\fR argument.
For each generated domain, \fBdnstwist\fR will fetch content from responding HTTP server (following possible redirects)
and compare its fuzzy hash with the one for the original (initial) domain.
The level of similarity will be expressed as a percentage.

Please keep in mind it's rather unlikely to get 100% match for a dynamically generated web page.
However, each notification should be inspected carefully regardless of the score.

In some cases, phishing sites are served from a specific URL.
If you provide a full or partial URL address as an argument,
\fBdnstwist\fR will parse it and apply for each generated domain name variant.
This is obviously useful only with the fuzzy hashing feature.

.SS MX checking
Very often attackers set up e-mail honey pots on phishing domains and wait for mistyped e-mails to arrive.
In this scenario, attackers would configure their server to vacuum up all e-mail addressed to that domain,
regardless of the user it was sent towards. Another \fBdnstwist\fR feature allows performing a simple test
on each mail server (advertised through DNS MX record) in order to check which one can be used for such hostile intent.
Suspicious servers will be marked with the \fBSPYING-MX\fR string.

Please be aware of possible false positives.
Some mail servers only pretend to accept incorrectly addressed e-mails but then discard those messages.
This technique is used to prevent "directory harvesting attack".

.SS Dictionaries
If domain permutations generated by the fuzzing algorithms are insufficient, please use \fB\-\-dictionary\fR option
with a file to generate more domain variants.
If you need to check whether domains with different TLDs exist, you can use \fB\-\-tld\fR argument.

.SS Coverage
Along with the length of the domain, the number of variants generated by the algorithms increases considerably,
and therefore the number of DNS queries needed to verify them. It's mathematically impossible to check all domain
permutations - especially for longer input domains.

For this reason, \fBdnstwist\fR generates and checks domains very close to the original one.
Theoretically, these are the most attractive domains from the attacker's point of view.
However, be aware that the imagination of the aggressors is unlimited.
